The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Untethered jailbreak"
m |
|||
(52 intermediate revisions by 22 users not shown) | |||
Line 1: | Line 1: | ||
+ | An '''untethered jailbreak''' is a jailbreak wherein a user can reboot their device at will, and have their device start up with the jailbreak automatically applied without the assistance of a computer or a utility on the device. |
||
− | == Summary == |
||
− | An untethered jailbreak is a type of [[jailbreak]] where your device does not require you to reboot with a connection to an external device capable of executing commands on the device. |
||
+ | These jailbreaks can be applied via multiple different methods, the most common of which being kernel exploits. |
||
− | == Device == |
||
− | All [[iPhone]], [[iPod touch]], and [[K48ap|iPad]] models including the [[N90ap|iPhone 4]] have an untethered jailbreak at the latest firmware currently available. |
||
+ | == Kernel exploits == |
||
− | Devices with a newer [[bootrom]], which include some [[N88ap|iPhone 3GS]] units and "MC" model [[N72ap|iPod touch 2G]] units, as well as all [[N18ap|iPod touch 3G]], [[K48ap|iPad]], and [[N90ap|iPhone 4]] units, can't have a untethered jailbreak by [[PwnageTool]], since PwnageTool relies on exploits in the bootrom that allow signature checks to be circumvented. |
||
+ | Most untethered jailbreaks rely on vulnerabilities in the kernel and early boot process, typically using a combination of codesigning bypasses and manipulating the system into executing a binary early in the boot process (or obtaining unsigned code execution via a vulnerability in an existing startup process). Once code execution has been obtained, a kernel exploit is used in order to patch the currently loaded kernel to allow for the rootfs to be remounted as read/write, and to allow for unsigned code execution. |
||
− | However, it is possible to perform a untethered jailbreak on any device with any firmware version between 3.1.2 and 4.0.1 using [[Star]] (This include any [[K48ap|iPad]] models, running 3.2 or 3.2.1). Star stores some code inside the device's VRAM in order to perform the untethered part of the jailbreak. It can be seen as some colored pixels before the [[SpringBoard]] is loaded. |
||
+ | Tools that use kernel exploits to achieve untethered jailbreaks: |
||
− | == Operating System == |
||
− | [[Star]] runs on the device itself, so the untethered jailbreak for iOS 3.1.2 to 4.0.1 is completely independent from a computer's operating system since there's no need to connect the device to any computer in order to jailbreak. |
||
+ | *[[Spirit]] |
||
− | [[PwnageTool]] can only be used on Mac OS X. |
||
+ | *[[Star|JailbreakMe 2.0 (star)]]/[[Saffron|JailbreakMe 3.0 (saffron)]] |
||
+ | *[[limera1n]] |
||
+ | *[[greenpois0n]] |
||
+ | *[[Absinthe]] |
||
+ | *[[unthredera1n]] |
||
+ | *[[evasi0n]] |
||
+ | *[[p0sixspwn]] |
||
+ | *[[evasi0n7]] |
||
+ | *[[Pangu]] |
||
+ | *[[Pangu8]] |
||
+ | *[[TaiG]] |
||
+ | *[[etasonJB]] |
||
+ | *[[UntetherHomeDepot]] |
||
+ | *[[Pangu9]] |
||
+ | *[[Fugu14]] |
||
+ | |||
+ | == BootROM exploits == |
||
+ | |||
+ | Older devices, such as the iPhone 3GS, iPod touch 2 (old bootrom) and earlier, have had vulnerabilities discovered in the [[BootROM]] that are able to be executed without the assistance of DFU mode (such as via a malformed image in the NOR) allowing for stages of the boot chain to be overwritten with custom code, such as a patched LLB/iBoot to allow for an unsigned kernel, and a custom boot logo. Examples of bootrom exploits that allow for untethered code execution are [[Pwnage]], [[0x24000 Segment Overflow|24kpwn]] and [[alloc8 Exploit|alloc8]]. |
||
+ | |||
+ | Tools that use bootROM exploits to achieve untethered jailbreaks: |
||
+ | |||
+ | *[[redsn0w]] |
||
+ | *[[sn0wbreeze]] |
||
+ | *[[PwnageTool]] |
||
+ | *[[ipwndfu]] |
||
+ | |||
+ | == iBoot exploits == |
||
+ | |||
+ | Some jailbreaks abuse vulnerabilities in the currently installed [[iBoot]] in order to patch out signature checks or load an alternative iBoot, therefore being able to load a patched and jailbroken kernel. Very few jailbreak utilities opt to use this method, as iBoot exploits are rare to come across and are able to be patched by Apple with software updates, thereby only being able to be used if blobs have been saved, or if the device was discontinued before Apple released a patch. |
||
+ | |||
+ | ==See also== |
||
+ | *[[Jailbreak]] |
||
+ | *[[Jailbreak Exploits]] |
||
+ | *[[Tethered jailbreak]] |
||
+ | *[[Semi-tethered jailbreak]] |
||
+ | *[[Semi-untethered jailbreak]] |
||
+ | |||
+ | [[Category:Jailbreaking]] |
Latest revision as of 20:07, 24 October 2021
An untethered jailbreak is a jailbreak wherein a user can reboot their device at will, and have their device start up with the jailbreak automatically applied without the assistance of a computer or a utility on the device.
These jailbreaks can be applied via multiple different methods, the most common of which being kernel exploits.
Kernel exploits
Most untethered jailbreaks rely on vulnerabilities in the kernel and early boot process, typically using a combination of codesigning bypasses and manipulating the system into executing a binary early in the boot process (or obtaining unsigned code execution via a vulnerability in an existing startup process). Once code execution has been obtained, a kernel exploit is used in order to patch the currently loaded kernel to allow for the rootfs to be remounted as read/write, and to allow for unsigned code execution.
Tools that use kernel exploits to achieve untethered jailbreaks:
- Spirit
- JailbreakMe 2.0 (star)/JailbreakMe 3.0 (saffron)
- limera1n
- greenpois0n
- Absinthe
- unthredera1n
- evasi0n
- p0sixspwn
- evasi0n7
- Pangu
- Pangu8
- TaiG
- etasonJB
- UntetherHomeDepot
- Pangu9
- Fugu14
BootROM exploits
Older devices, such as the iPhone 3GS, iPod touch 2 (old bootrom) and earlier, have had vulnerabilities discovered in the BootROM that are able to be executed without the assistance of DFU mode (such as via a malformed image in the NOR) allowing for stages of the boot chain to be overwritten with custom code, such as a patched LLB/iBoot to allow for an unsigned kernel, and a custom boot logo. Examples of bootrom exploits that allow for untethered code execution are Pwnage, 24kpwn and alloc8.
Tools that use bootROM exploits to achieve untethered jailbreaks:
iBoot exploits
Some jailbreaks abuse vulnerabilities in the currently installed iBoot in order to patch out signature checks or load an alternative iBoot, therefore being able to load a patched and jailbroken kernel. Very few jailbreak utilities opt to use this method, as iBoot exploits are rare to come across and are able to be patched by Apple with software updates, thereby only being able to be used if blobs have been saved, or if the device was discontinued before Apple released a patch.